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Abstract 

Although a deterministic polytime algorithm for primality testing is 
now known ([!]), the Rabin-Miller randomized test of primality continues 
being the most efficient and widely used algorithm. 

We prove the correctness of the Rabin-Miller algorithm in the theory 
V for polynomial time reasoning, from Fermat's little theorem. This is 
interesting because the Rabin-Miller algorithm is a polytime randomized 
algorithm, which runs in the class RP (i.e., the class of polytime Monte- 
Carlo algorithms), with a sampling space exponential in the length of the 
binary encoding of the input number. (The class RP contains polytime 
P.) However, we show how to express the correctness in the language of 
V 1 , and we also show that we can prove the formula expressing correctness 
with polytime reasoning from Fermat's Little theorem, which is generally 
expected to be independent of V 1 . 

Our proof is also conceptually very basic in the sense that we use the 
extended Euclid's algorithm, for computing greatest common divisors, 
as the main workhorse of the proof. For example, we make do without 
proving the Chinese Reminder theorem, which is used in the standard 
proofs. 

1 Introduction 



A deterministic polytime algorithm for primality testing is now known ([!]), 
although it does not follow that the correctness of this algorithm can be shown 
with polytime concepts, and it is not at all clear that there exists a polytime 
proof of correctness. 

In practice, the Rabin-Miller randomized algorithm for primality testing is 
the most widely used algorithm. It is fairly simple to describe, and very efficient 
(in runs in time 0(n 4 ), where n is the size of the binary encoding of the input 
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number). The proof of correctness is basic, in the sense that it does not use 
major results of number theory; it is our task in this paper to provide a proof in 
the polytime theory V 1 ([I]) from Fermat's Little theorem (a "pure" V 1 proof 
cannot be expected as Rabin-Miller is an RP algorithm) . Our result distills the 
hard (from a proof complexity point of view) theorem behind the correctness of 
the algorithm. 

The proof complexity of randomized algorithm has been studied in depth 
in [2J, and indeed it is shown there ([2J Example 3.2.10]) that there is an RP 
predicate P(x), which is 1/2-defmable in Buss' polytime theory S3;, such that 
S-j, proves u P(x) iff Fermat's Little Theorem" . In our case, we use the basic 
machinery of V 1 and the following assertion of correctness: for every non- witness 
of compositness there is a unique witness of compositness (see Figure QJ. This 
shows that at least half the elements of the sample space are witnesses, and 
proves the correctness of the algorithm. 

Further, 2 claims that S3, is able to prove that every number is uniquely 
representable as a product of prime powers — and the proof of the correctness of 
the Rabin-Miller algorithm relies on this. If we could prove the same fact in V 1 , 
we would have a polytime algorithm for factoring. This is the main difference 
when using our technique; we never argue about factorization of numbers. The 
1/2-defmability (or, in general, s/i-definability) given in [2] is a slightly more 
general approach to comparing set sizes. To state that \A\ is at least (s/t)\B\, 
it states the existence of a surjective mapping from t ■ A to s ■ B. In this paper, 
we force our mapping to be multiplication modulo P, whereas [2] makes it any 
polysize circuit. 

No extra assumptions are necessary to prove the correctness of the algorithm 
on composites. However, to show that there are no false negatives, i.e., to show 
that the algorithm always answers correctly on inputs that are prime numbers, 
we use Fermat's little theorem. 

While there is no independence result showing that V 1 Y- "Fermat's little 
theorem" , it is believed that it is not provable in V 1 . The reason for this belief 
(following Q]) is that the existential content of Fermat's little theorem can be 
captured by its contrapositive form: 

(1 < a < n) A (a"" 1 ^ 1 (mod n)) D 3d(l < d < n A d\n) (1) 

hypothesis 

and if we could prove Fermat's theorem in V 1 , we could obviously prove the 
above formula as well (note that a" -1 (mod n) can be computed in polytime 
by repeated squaring). 

If ([T]) were provable in V, then by a witnessing theorem it would follow that 
a polytime function /(a, n) exists whose value d = /(a, n) provides a proper 
divisor of n whenever a,n satisfy the hypothesis of fl}. With the exception of 
the so-called Carmichael numbers, which can be factored in polynomial time, 
every composite n satisfies the hypothesis for at least half of the values of a, 
1 < a < n. Hence, f(a,ri) would provide a probabilistic polytime algorithm 
for integer factoring. Such an algorithm is thought unlikely to exist, and would 
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provide a method for breaking the RSA public-key encryption scheme. 

In short, it is interesting to see how strong a theory one needs in order to 
prove the correctness of the Rabin-Miller algorithm. Since we do not know if 
it is possible to derandomize probabilistic polytime computations, we cannot 
hope to have a purely polytime proof in this case. It is still worthwhile to 
isolate the assumptions on which the theory "falls short" of the task, i.e., what 
is the principle underlying the Rabin- Miller algorithm which is responsible for 
the apparent inability of a polytime theory to prove its correctness? We answer 
that it is the Fermat's little theorem, and show that V 1 proves the equivalence of 
the correctness of Rabin-Miller algorithm (properly stated) and Fermat's Little 
theorem. 

This paper is organized as follows. In section [2] we describe very briefly 
the theory V 1 for polytime reasoning. For a full background on V 1 see the 
book pQ. In section [3] we give some number theoretic preliminaries, we recall 
extended Euclid's algorithm, and say that it can be shown correct in V 1 . We 
also recall Euler's theorem, and Fermat's Little theorem. In section @] we show 
how we can build an algorithm for pseudoprimality (a number is pseudoprime 
if it is prime or a Carmichael number) from Fermat's Little theorem. This 
introduces the Rabin-Miller test of primality, which extends the pseudoprimcs 
by coping with the Carmichael numbers. The presentation of the Rabin-Miller 
algorithm, and its V 1 proof of correctness from Fermat's Little theorem, are 
presented in section [5j 

Finally, note that the original work on the Rabin-Miller algorithm has been 
published in [51 [6] , but we use the presentation of the algorithm as given in [7] . 

2 The theory V 1 

In this section we introduce briefly the theory V 1 for polytime reasoning; sec [lj 
for a full and detailed treatment. 

V 1 is a two sorted theory, where the two sorts are indices and strings. The 
strings are formally sets of numbers, where the correspondence with strings is 
given by i S X iff the i-th bit is 1. We think of the strings as numbers encoded in 
binary. The indices are unary numbers used to index the strings, and their role 
is auxiliary; the main objects of interest are strings, which will encode numbers. 
The vocabulary of our theory is C\ = [0, 1, +, •, |; =i, = 2 , <, s]. 

Here the symbols 0, 1, +, •, =i and < are from the usual vocabulary of Peano 
Arithmetic, and they are function and predicate symbols over the first sort 
(indices). The function \X\ (the "length of X") is a number- valued function 
and it intended to denote the length of the string X. The binary predicate G 
takes a number and a string as arguments, and is intended to be true if the 
position in the string given by this number is 1. (Note that technically, the 
strings are sets of numbers; hence the set theoretic notation.) Finally, =2 is the 
equality predicate for the second-sort objects. We will write = for both =1 and 
=2, and which one it is will be clear from the context. Sometimes we shall use 
the abbreviation X(t) for t E X . 



3 



We denote by T, B the set of formulas over the language C 2 A whose only 
quantifiers are bounded number quantifiers, and we denote by Yi B the set of 
formulas of the form 

(3Xi <h)---(3X n <t n )a 
where a is a T, B formula. Here the expression (3X < t) denotes (3A)[|A| < t]. 

Bl. x + l^O 

B2. x+l=y+lDx=y 

B3. x + = x 

B4. x + (y + 1) = (x + y) + 1 

B5. £-0 = 

B6. x ■ (y + 1) = (x ■ y) + x 

B7. (x<yAy<x)Dx = y 

B8. x<x + y 

B9. < x 

BIO. x<yVy<x 

Bll. x < y <-* x < ?/ + 1 

B12. Z ^ D 3y < x(y + 1 = x) 

Li. 2/eXDy<|X| 

L2. y+l = |JT| DyeJC 

SE. [|X| = |y| A Vz < G X ^ i e F)] D X = Y 
Figure 1: The 2-BASIC axioms. 

For a set of formulas $, the Comprehension Axiom Scheme, $-COMP, is the 
set of formulas 

(3X <y)(Vz<y)(X(z)~cf>(z)) 

where (f>(z) is any formula in and X does not occur free in 4>{z). 

The theory V, for i = 0, 1 is the theory with the axioms 2-BASIC (in 
figure QJ and the Ef-COMP axiom scheme. 

Proving the correctness of the Rabin-Miller algorithm we are going to rely 
heavily on the following theorem, proved in pQ : 

Theorem 2.1 (V 1 captures polytime reasoning) A function f : {0,1}* — > 
{0,1}*, i.e., f is a function from strings to strings, is polytime computable iff 
there exists a formula (j) €E Ylf such that: 

<f,(X,Y) ^ f(X) = Y 
V 1 h VX3Y(/)(X,Y) 

See [1] for a proof of this theorem. 

The theory V 1 allows us to prove induction and minimization axioms from 
the axioms we already have. As we make use of those in our proof of the 
correctness of the Rabin-Miller algorithm, we state them here explicitly. 
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The Number Induction Axiom states that if $ is a set of two-sorted formulas, 
then <I>-IND axioms are the formulas 

[0(0) A Var, <f>(x) D (f>(x + 1)] D Vz</>(z) 

where is a formula in 

The Number Minimization Axiom states that if $ is a set of two-sorted 
formulas, then $-MIN axioms are the formulas 

3z(f)(z) D 3y[(j>(y) A ~^3x(x < y A <j>(x))] 

where <f> is a formula in $. 

We are of course interested in the cases where 4> is either Y,q or Sf . 

Theorem 2.2 For i = or i = 1, V* proves 6ot/i Y^-IND and Y^-MIN. 

See [T] for a proof of this theorem. Note that this theorem allows us to do 
induction of Sf formulas, and minimization over Sf formulas, when arguing 
about the correctness of the Rabin-Miller theorem, without taking us outside 
the polytime theory V 1 . 

3 Number theoretic background 

In this section we give the basic number theoretic notions that will be used in 
our paper, as well as recall Euler's theorem and its corollary, Fermat's Little 
theorem. 

We do not need Euler's theorem in our proof of correctness, but we include it 
since it provides the most general proof of Fermat's Little theorem which is the 
principle from which, as we show, the correctness of the Rabin-Miller algorithm 
follows. We recall that Euler's theorem itself follows directly from Lagrange's 
theorem (of course, it also follows directly from the Prime Factorization theo- 
rem). 

We also present Euclid's algorithm for computing the greatest common divi- 
sor of two numbers. The correctness of the extended Euclid's algorithm (prov- 
able in V 1 ) is the main workhorse of our proof. 

Two numbers x, y are equivalent modulo a third number p (we write x = y 
(mod p)) if they differ by a multiple of p. Every number is equivalent modulo 
p to some number in Z p = {0, 1, . . . , (p — 1)}. 

For convenience we let Z+ = {1, . . . , (p — 1)}. We let Z* be the subset of 
Z+ of elements a such that gcd(a,p) = 1. Note that (Z p , +) is a group (under 
addition) and (Z*,-) is a group (under multiplication). The latter fact means 
that Z* can be alternatively defined as 

{a G Zp \a has a (multiplicative) inverse in Z^J~} 

and it follows from the next lemma. 
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Lemma 3.1 (Euclid's Lemma) For any two numbers a and b there exist 
numbers x and y such that ax + by = gcd(a, b). Furthermore, the correctness 
of the extended Euclid's algorithm (where "correctness" simply states that on 
input a, b the output x, y satisfies the condition ax + by = gcd(a, b) ) is provable 
mV 1 . 

Proof: The lemma can be proved by analyzing the extended Euclid's algo- 
rithm: 

On input (a, b): 

1. if a < b then 

2. let (y, x, d) :— euclid(6, a) 

3. return (x, y, d) 

4. if b = then 

5. return (1, 0, a) 

6. let (z,x,d) := cuclid(6, a mod b) 

7. return (x, z — (a -j- b)x, d) 

Figure 2: Extended Euclid's algorithm 

The correctness of the algorithm is easily shown by induction, with the 
inductive step (for lines 6-7) proved as follows: 

ax + b(z — (a -f- b)x) = ax + bz — b(a b)x 
= bz + (a — b(a -j- b))x 
= bz + (a mod b)x 
= d 

This is clearly a proof that can be carried out in polynomial time, i.e., in V 1 . 
□ 

The easiest way to prove Euler's theorem is from Lagrange's theorem. The 
proof of Lagrange's theorem is basic, and it is included in all standard algebra 
textbooks. Still, it is a proof that we do not know how to carry out in V 1 . 

Theorem 3.1 (Lagrange's Theorem) If H is a subgroup of G, then the or- 
der of H divides the order ofG, i.e., H < G ^> |if|||G|. In particular, the order 
of any element divides the order of the group. 

The function <p(n) is called the Euler totient function, and it is the number 
of elements less than n that are co-prime to n, i.e., <j)(n) = |Z*|. If we are able 
to factor, we are also able to compute <f>(n): suppose n = p^p^ 2 '"Pi'y then 

^) = nUp? 4_1 (Pi-i)- 

Theorem 3.2 (Euler's Theorem) For every n and every a G Z*, a*<"> = 1 

(mod n). 
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Proof: This is a consequence of Lagrange's Theorem (which says that the 
order of any subgroup, and hence the order of any element, divides the order of 
the group). □ 



Theorem 3.3 (Fermat's Little Theorem) For every prime p and every a G 
"Lp , we have a*^" 1 ) = 1 (mod p). 

Proof: A consequence of Euler's Theorem. Note that when p is a prime, 
Z+ = Z;, and cj>(p) = (p - 1). " □ 

Currently we do not have a polytime proof of Fermat's Little theorem, and 
for the reasons outlined in the introduction we do not expect to be able to 
prove it in a theory like V 1 , since a standard witnessing argument would then 
imply that we can have a randomized polytime algorithm for factoring, which 
is something that is generally not believed to be possible. 

As an aside, note that a stronger induction than the one in V 1 , i.e., an 
induction that can be carried out on "values" of strings, rather than on "nota- 
tion", which means an induction of the kind as in the theory T\ (see §5.2]), 
can prove Fermat's Little theorem. Here is the outline of the proof: we show 
that for gcd(a,p) = 1, a p = a (mod p), by induction on a. It is enough to 
prove this, since if gcd(a,p) = 1, then a has an inverse in Z+, and so Fer- 
mat's Little theorem follows. The basis case is trivial: l p = 1 (modp). Now 
(a + l) p = a p + 1 + YljZi ( 1 j) aP ~^ (where we need Sf formulas to express the 

binomial expansion). Note that Y^jZi ( P ) aP ^ = (mod p), and so the result 
follows. 



4 Pseudoprimes 

Fermat's little theorem provides a "test" for primality, called the Fermat test. 
When we say that p passes the Fermat test at a, we mean that a < - p_1 - ) = 1 
(mod p). Thus, all primes pass the Fermat test for all a G Z+. 

Unfortunately, there are also composite numbers n that pass the Fermat 
tests at every a G Z*; these are the so called Carmichael numbers (e.g., 561, 
1105, 1729). 

Lemma 4.1 If p is a composite non- Carmichael number, then it passes Fer- 
mat 's test for at most half of the elements of Z* . 

Proof: (This is exercise 10.16 in [7]) Call a a witness if it fails the Fermat test 
for p, that is, if a( p_1 ' ^ 1 (mod p). 

Consider S C Z* consisting of those elements a G Z* for which a p ~ 1 = 1 
(mod p). It is easy to check that S is in fact a subgroup of Z*. Therefore, using 
the Lagrange Theorem, |5| must divide |Z*|. Suppose now that there exists an 
element a G Z* for which a p_1 ^ 1 (mod p). Then, S is not "everything" (i.e., 
not Z*), so the next best thing it can be is "half" (of Z*). □ 

A number is pseudoprime if it is either prime or Carmichael. The last lemma 
suggests an algorithm for pseudoprimes: on input p, check a^ -1 ) = 1 (mod p) 
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for some random a £ Z+. If the test fails (i.e., a,( p ~ 1 '> ^ 1), then p is composite 
for sure. If p passes the test, then it is probably pseudoprime. From the above 
lemma we know that the probability of error in this case is < |. Note that 
if gcd(a,p) ^ 1, then a( p ~ 1 ) ^ 1 (mod p). Thus, on Carmichael numbers, 
the algorithm for pseudoprimness might answer sometimes "composite" , and 
sometimes "pseudoprime" . 

5 Rabin-Miller Algorithm 

The Rabin-Miller algorithm (Figure [3]) "copes" with the Carmichael numbers, 
in effect turning the algorithm for pseudoprimality given in the previous section 
into an algorithm for primality. 

On input (p, a): 

1. If p is even, accept if p = 2; otherwise, reject. 

2. Compute a^ -1 ' (mod p) and reject if ^ 1. 

3. Let {p — 1) = s2 h where s is odd. 

4. Compute the sequence 

a s ' 2 ° ,a s ' 21 ,a s ' 22 , . . . , a s ' 2 '* (mod p). 

5. If some element of this sequence is not 1, 
find the last element that is not 1, 

and reject if that element is not —1. 

6. Accept. 

Figure 3: The Rabin-Miller algorithm. 

Note that if we got to line 4. in the algorithm, it means that a s ' 2h = 1 
(mod p) . We say that a is a witness (of compositness) of type 1 or type 2 if the 
algorithm rejects at step 2 or step 5, respectively. 

The algorithm is polytime (we can compute the sequence in step 4 via it- 
erated squaring). If we randomly select the a from Z+, it will become a RP 
algorithm. 

Before proving that the algorithm is correct, we have to state this fact in 
the language of our theory. We would like to say that "there are few false 
positives". The meaning of "few" can be chosen to be "at most one half" (if 
we need a better bound, we can achieve them using the idea of amplification, 
meaning that we repeat the algorithm k many times, on independently selected 
a's, and achieve an error of which for k equal to, say, 100, is negligible). 

But how do we speak about probability? The obvious way would be to 
express our event space and capture the size of the subset of "bad" events (i.e., 
the non- witnesses). But this is not possible in V 1 , because the event space 
is exponential in length of the input P, and V 1 only allows us to talk about 
polynomial-length strings (and giving it more power in this domain would allow 
us to capture more than polytime reasoning and thus defeat the purpose of this 
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analysis). 

How then can we compare the cardinalities of two sets without mentioning 
them explicitly? The set of non- witnesses is at most half of the size of the set of 
all candidates if and only if there exists an injective mapping from non-witnesses 
to witnesses. Again, stating an existence of such a mapping in general is not 
possible in V 1 , so we strengthen our goal to prove the existence of a particular 
type of mapping — see figure [4j Because we require T to have an inverse T" 

1< D < P A D\P 

3 T,T' < \P\ such that 
T * T' = 1 (mod P) and 
V A < \P\ 

a A is a non- witness" 

=>■ 11 (A * T (mod P)) is a witness" 



Figure 4: Correctness assertion. 

modulo P, we know that the function mapping A to A * T is injective. Note 
that the statement we want to prove is not a Sf formula. But this is not a 
problem, as V 1 only restricts the comprehension axiom scheme (and thus the 
induction) to Sf formulas. 

We will start by showing that a composite P is either a power of a smaller 
number Q, or a product of two relatively prime numbers Q and R. Because we 
do not know how to talk about prime factorization of P in V 1 , we will use the 
following recursive algorithm: 

On input (Q, E, R): 

1. while gcd(Q,R) = G > 1 

2. if G = Q, let (Q,E,R) := (Q,E+1,R/Q) 

3. otherwise, let (Q, E, R) := (Q/G, E, G E R) 

4. return (Q, E, R) 



Figure 5: Factoring. 

It is not difficult to see that the while loop preserves the following invariants: 

• P = Q E R 

• Q > 1 

• R= 1 ==>- E > 1 

Therefore the result gives us either P = Q E with E > 1 (when R = 1), or 
P = QR with Q,R > 1 and gcd(Q,i?) = 1. Moreover, every iteration either 
increases £ by 1 or decreases Q by at least half, so the algorithm runs in 
polynomial time. Therefore, given that P is composite, and we have a factor 
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D of P, i.e., 1 < D < P, D\P, we can initialize the algorithm with (D, 1, P/D) 
and thus prove (in V 1 ) that one of two desired cases holds indeed. 
In the case when P = Q E , E > 1, we simply set 

T := 1 + Q (£ ~ 1) , 
T 1 := T^" 1 ) (mod P). 

Then we can show (by induction on the length of J) that 

T J = 1 + JQW- 1 ) (modP), 

and conclude that 

TT' = T p = 1 (mod P). 
Moreover, whenever A is a non-witness, we know that 

A {p -^ = 1 (mod P), 

and thus 

(AT) {p -^ =T (p -^ =TV 1 (modP), 

so AT is a (type 1) witness, as required. 

In the other case more work needs to be done. First we represent (P — 1) = 
S2 h , with odd S, as in the algorithm. Then we let 

a(i) := (3Z < \P\)[Z sr = -1 (mod P)]. 

From the fact that S is odd we know that a(0) (take Z = P — 1). Now a(h) 
is either true or false. If it is true, then we let both T and T" to be the Z 
witnessing that fact. Thus we have: 

TT' = Z 2 = (-1) 2 = 1 (mod P), 

and, as before, whenever A is a non- witness, AT is a (type 1) witness. 

When a(h) if false then by minimality principle (equivalent to induction, 
and allowed because a is a Sf formula) we can get the smallest i for which 
a(i + 1) is false. Let Z be the witness of a(i) being true. Remember that we 
have a factoring P = QR, with gcd(Q, R) — 1. According to Euclid's lemma we 
can compute X and Y such that 

XQ + YR = gcd(Q,R) = 1. 
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Now we let T :=XQ + YZR (mod P), V := r 52 ^ 1 " 1 and notice that 



T 


= XQ + YZR 

= XQ + YZR + X(Z - 

= Z(XQ + YR) = Z 




(mod Q) 


T 


= XQ + YZR 

= XQ + YZR - Y(Z - 

= XQ + YR = 1 


1)R 


(mod R) 


rpS2 % 


= Z ST = -1 




(mod Q) 


rpS2 X 


= l sr = 1 




(mod R) 


TT' 


= T ST+1 = (-1) 2 = 1 




(mod Q) 


TT' 


rpS2 1 ~' rl ^2 




(mod R) 


TT' 


= 1 




(mod P) 



Suppose that P\(T sr + 1). Then R\(T sr + 1). But as R\(T sr - 1), we 
would have that 

R\((T ST + 1) - {T sr - 1)) = 2 

and thus 2 = R\P which is not possible, as the algorithm deals with even P's 
in step 1. 

Analogously, we cannot have P\(T S2 — 1). Therefore we know that T S2 ^ 
±1 (mod P). Now, if we consider any non- witness A, we will have 

A sr = ±1 (mod P) and A sr+1 = 1 (mod P) 

owing the way i was chosen. But then (AT) ST ^ ±1 (mod P) and (AT) ST+1 = 
1 (mod P), so again AT is a (type 2) witness. 

Having considered all the cases, we have proved (in V 1 ) that the probability 
of accepting a composite number is at most |. To arrive at the correctness of 
the Rabin-Miller test we need to prove one last lemma: 

Lemma 5.1 Suppose that P is a prime number. Then the Rabin- Miller algo- 
rithm accepts (P, A) for every A E Z+ (that is, there are no false negatives). 

Proof: Assume that P is prime, but the algorithm rejects (P, A). If A was a 
type 1 witness, A^^ 1 ^ ^ 1 (mod P) then Fermat's little theorem would imply 
that P is composite. If A was a type 2 witness, some B exists in Z+, where 
B/il (mod P) and B 2 = 1 (mod P). Therefore, (B 2 - 1) = (mod P), 
and so P has to divide (B — 1)(B + 1). But because B / ±1 (mod P), both 
(B — 1) and (B + 1) are strictly between and P. As we assumed P to be a 
prime, we have gcd(P, B — 1) = gcd(P, B + 1) = 1, and (using Euclid's lemma), 
gcd(P, (£? - 1)(B + 1)) = 1, a contradiction. □ 
The only part of this lemma (and thus of the whole proof of correctness) not 
shown in V 1 is the Fermat's little theorem. It is also obvious that it is implied 
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by the correctness of the Rabin-Miller algorithm. Therefore we can formulate 
the main result of this work: 

Theorem 5.1 V 1 proves the equivalence of Fermat's little theorem to the cor- 
rectness of the Rabin-Miller randomized algorithm for primality. 

6 Conclusion 

We gave a direct and conceptually simple proof of the equivalence, in V 1 , of the 
correctness of the Rabin-Miller theorem (properly stated), and Fermat's Little 
Theorem. The proof relies on rudimentary number theory, and more concretely, 
on a proof of correctness in V 1 of the extended Euclid's algorithm for computing 
the greatest common divisor. 

It is a very interesting open problem, although probably very difficult, to 
show an independence of Fermat's Little theorem from V 1 , and hence the inde- 
pendence of the correctness of the Rabin-Miller algorithm from V 1 . 
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